From 39e43db08fa3cd707dae96a00767c4525369fc2b Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Tue, 28 Jun 2022 22:06:05 -0700
Subject: [PATCH] AssetBuilder - Validate checksum for requested parameters

---
 Civi/Core/AssetBuilder.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Civi/Core/AssetBuilder.php b/Civi/Core/AssetBuilder.php
index 3d1a4d9a9c..e723525ff1 100644
--- a/Civi/Core/AssetBuilder.php
+++ b/Civi/Core/AssetBuilder.php
@@ -369,7 +369,18 @@ class AssetBuilder extends \Civi\Core\Service\AutoService {
   public static function pageRender($get) {
     // Beg your pardon, sir. Please may I have an HTTP response class instead?
     try {
+      /** @var Assetbuilder $assets */
       $assets = \Civi::service('asset_builder');
+
+      $expectDigest = $assets->digest($get['an'], $assets->decode($get['ap']));
+      if ($expectDigest !== $get['ad']) {
+        return [
+          'statusCode' => 500,
+          'mimeType' => 'text/plain',
+          'content' => 'Invalid digest',
+        ];
+      }
+
       return $assets->render($get['an'], $assets->decode($get['ap']));
     }
     catch (UnknownAssetException $e) {
-- 
2.25.1